I'm not familiar with DANE. Is it operational? Does it include changes to TLS
to accept/compare the server's certificate obtained from DANE? If so, then
that part of the proposal can be mooted in favor of DANE.
Yes, it would be simpler to offload the certificate sourcing management to DNS.
However, I'm proposing changes to be implemented entirely within TLS, that are
transparent on the client side. Only the server side would require an
additional interface to accept/reject client connections.
Karl
________________________________
From: Randy Bush <[email protected]>
To: Karl Malbrain <[email protected]>
Cc: Leif Johansson <[email protected]>
Sent: Friday, September 13, 2013 1:24 PM
Subject: Re: [perpass] proposed enhancement to TLS strong authentication
protocol
[ off lst ]
> I've dropped the idea of including both client and server public
> certificates in the directory in favor of a server certificate only
> repository with an additional TLS interface to authorize access by
> clients.
so why is this a win over dane?
randy
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
